New Insurance Data Security Model Law Requires Prompt Action

In October, the National Association of Insurance Commissioners (NAIC) approved the Insurance Data Security Model Law (Cyber Model Law), which establishes standards for data security, as well as investigation and notification requirements for cybersecurity events in the insurance industry.

The Cyber Model Law requires licensees – insurers, agents, or other entities regulated by state insurance departments – to design and implement information security programs that will effectively protect consumers from threats or hazards to the security, integrity or confidentiality of nonpublic information.

Once the Cyber Model Law has been enacted into state law, licensees will have to submit an annual certification of compliance to their home state insurance commissioner by February 15 of each year, attesting to their compliance with Section 4 of the Cyber Model Law, which sets out the information security program requirements.

The expectation is that these new cybersecurity compliance measures would not be a stand-alone practice but would be integrated with other data security measures into a holistic information security program covering all compliance and cybersecurity risk management, within the broader context of the organization’s enterprise risk management program. This integration can help streamline board reporting and support strategic decision-making.

The new Cyber Model Law aligns with the New York Department of Financial Services (NYDFS) cybersecurity regulation, which went into effect March 1, 2017, so that NYDFS-compliant organizations should also be considered compliant with the NAIC Cyber Model Law.

Both laws require discrete, top-down enterprisewide cybersecurity risk assessments. These assessments must cover not only the likelihood of threats and the potential damage they may cause to information and systems, but also the sufficiency of policies, procedures, controls and other safeguards in place to manage these threats. Companies should be prepared to demonstrate how these assessments are being used to manage threats.

Regulators will be looking for programs that contain administrative, technical and physical controls, including a written incident response plan. It is important for firms to be able to show that risk assessment results are being addressed and integrated into the organization’s broader enterprise risk management program.

The individual or group of individuals at the board or senior management level charged with personally attesting to the firm’s compliance with cybersecurity regulations must be able to review sufficient written evidence and documentation to allow them to properly certify compliance. For that to happen, entities need to ensure record keeping and continuous monitoring of the firm’s implementation of its cybersecurity program and its ongoing maintenance.

If a licensee learns that a cybersecurity event has or may have occurred, it will need to conduct an investigation to determine the nature and scope of the event, and the data involved. The licensee should then take responsible steps to restore the security of the compromised systems, to prevent additional compromise. Licensees must notify the insurance commissioner of their home state of cybersecurity events within 72 hours of detection, and keep records of all cybersecurity events for at least five years.